From 71381100906fb26a61c64c933a924d22547a2075 Mon Sep 17 00:00:00 2001 From: dodger Date: Mon, 9 May 2022 17:59:16 +0200 Subject: [PATCH] Added README_rds.md --- README.md | 2 +- README_rds.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 README_rds.md diff --git a/README.md b/README.md index 5e2edec..6c2e6cc 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ All without granting `super` permissions and having a histoc of changes on a _ps | :warning: WARNING | |:---------------------------| -| Amazon RDS has its own instructions on README_RDS.md | +| Amazon RDS has its own instructions on README_rds.md | | :warning: WARNING | ## Instructions diff --git a/README_rds.md b/README_rds.md new file mode 100644 index 0000000..c63df85 --- /dev/null +++ b/README_rds.md @@ -0,0 +1,44 @@ +# PostgreSQL expiration date management functions + +## Description + +This project tries to find a way to allow users the management of the `VALID UNTIL` expiration clause by themself. +All without granting `super` permissions and having a histoc of changes on a _pseudo-audit_ table + +## PRE-requisites + +As Amazon has modified Postgresql so you don't have access as a *real* superuser, the _dangerous_ function +`change_valid_until` should run as the owner of the database (the user created when you deploy the database through AWS) + + + +## Instructions + +## + +### First deploy +Deploy `passchanger.sql` on the desired cluster/database. + +It will: + * create a `dba` schema + * create a `dba` role + * create the `pwdhistory` table for audit purpouses + * Grant the minimum permissions for this new role so the whole thing works + * Create the 2 needed functions and grant permissions on them to `dba` + + +### Allowing users to use that functions +Take the file `grants_to_grant.sql` and modify the username _dodger_ so it match the username that should have the permissions. +Execute the grants on the cluster/database you have deployed `passchanger.sql` + + +### Changing password & extending expiration date + +The user should just execute: +``` +select dba.change_my_password('YOUR_NEW_GENERATED_PASSWORD_NOT_THIS_ONE') ; +``` + +## Helper script + +See README.md